The Journal The Authority on Global Business in Japan

The United States Embassy in Tokyo held a Spotlight on Cybersecurity event at Keio University on May 17.

The United States Embassy in Tokyo held a Spotlight on Cybersecurity event at Keio University on May 17.

In his essay “Hazards of Prophecy: The Failure of Imagination,” famed science fiction writer Arthur C. Clarke stated: “Any sufficiently advanced technology is indistinguishable from magic.” He wrote this in 1973, and indeed the world we live in today sometimes seems magical.

The technology we’ve created makes our lives and businesses better by allowing the world to work in a way that is convenient and empowering—even if we don’t fully understand the underpinnings. This lack of understanding creates an odd balance between trust and fear. We want the benefits of the cloud, for example, but we’re unsure if our data is safe. What will happen if we give ourselves fully over to technology? Hazards of prophecy are real—though we have no failure of imagination.

“Picture someone stealing your identity and now having access to all of your bank accounts, your home security system, working remotely for your employer as you, traveling as you around the world, with the burden on you to now prove that this person is not you,” posed Eric Basu, president and CEO of technology service provider Sentek Global, speaking to The Journal.

Could it happen? Of course. But should these fears stop us from taking advantage of the many benefits that technology offers?

In the 2004 reboot of Glen A. Larson’s famous television series Battlestar Galactica, a mistrust of the connected world leads seasoned military leader Admiral William Adama to order that his ship’s systems never be networked. This, he felt, would keep the crew and their data safe from the enemy.

It mirrors the question that many individuals and businesses ask today: Should we store everything locally or should we put it in the cloud? As organizations, we know data continuity is critical to efficiency and disaster recovery. As individuals, we know the convenience—the magic—of online banking, one-click shopping, and having synchronized information available on multiple devices. But we also know that criminals want our data, and that breaches happen.

So, should we pull the plug on the connectivity that has transformed our world? Is our information safer in a box on our desk or is the cloud actually more secure?

technology-table

PRIMAL INSTINCT
While a case can be made for safety in the cloud, distrust is part of being human.

Ken Katayama, deputy director of corporate affairs at Microsoft Japan, draws an analogy to transportation: “It’s like driving a car. You can get anywhere you want, but you’re the one who is taking the risk. And if you think about it, people die more from car accidents than plane accidents. The airplane is like the cloud. And the cloud itself has a lot of standards that we follow—like ISO, SAS, and compliance and the security standards that we have.”

When it comes to computers, we’ve been conditioned for three decades to fear viruses. In 1983, computer scientist Fred Cohen—then a student at the University of Southern California—created the first computer virus as a way of testing a theory he had about programs that could self-replicate and spread. The experiment was successful, and specialized code got its foot in the door to the place that would one day become the storehouse of all information.

That’s an oversimplification, but it provides a starting point for the foundation of how we see security and why we fear the cloud. If it’s possible to get at data stored on one local computer, what happens when you put multiple copies on remote computers that are out of your control?

UNTO THE BREACH
If we base our view purely on the news, an irrational fear of theft takes over. Reports of new security incidents make headlines frequently, and this creates a feeling of helplessness. Because our data resides in the hands of others—whether on the servers of companies with which we do business or service providers that make our businesses run—we may feel like bystanders. But in reality, there is a lot we can do to protect ourselves.

Admiral Dennis Blair (Ret.), chairman and CEO of Sasakawa USA and former director of US National Intelligence, told The Journal: “Criminals will always go after the low-hanging fruit. Just like locking your car door and using a burglar alarm to deter crime, good cyber safety practices—good passwords, etc.—will reduce the likelihood of being the victim of cybercrime.”

It’s important to take these basic steps because breaches do occur. In 2016, we have seen some of the biggest ever. According to the Identify Theft Research Center (ITRC), as of September 8 there have been 657 breaches exposing 28,648,522 records worldwide.

In May, it was revealed that ADP, the New Jersey-based administrator of payroll, taxes, and benefits for more than 640,000 companies, had been hit by an attack that netted salary and tax info. Sentek Global’s Basu pointed out that someone else could pose as you; and that’s what happened here. According to former Washington Post security reporter Brian Krebs, writing on his blog KrebsOnSecurity, the thieves gained access to the data by registering accounts in the names of employees at more than a dozen companies that are customers of ADP.

In another tax-related breach in the US, the Internal Revenue Service (IRS) had information of more than 700,000 individuals stolen. Thieves made use of an IRS service called Get Transcript, which allows taxpayers to request a variety of reports about their history and receive them either online or by mail.

Meanwhile, in an ironic turn of events, Verizon Enterprise Systems, which provides assistance to Fortune 500 companies that have suffered security breaches, was itself hit by the theft of 1.5 million customer records. The hacker offered the records on underground forums for $100,000.

There was a realistic threat of a cyberattack knocking out the lights during the opening ceremony of the London 2012 Olympic Games.

There was a realistic threat of a cyberattack knocking out the lights during the opening ceremony of the London 2012 Olympic Games.

EVOLUTION
The scope and impact of these incidents are a far cry from what Cohen could have envisioned when he coded that first virus. The threat has shifted drastically over the years.

“There’s been a distinct evolution from breaches that were instigated originally by individuals simply as a technical challenge into highly-funded, profitable group activities,” Robin Tatam, director of security technologies at Minnesota-based HelpSystems, told The Journal. “Carefully architected breaches using phishing emails and malware can result in significant monetary gain, political advantage, and competitive advantage. Even seemingly innocuous breaches seek to access information—like recycled passwords—that can be leveraged in other targeted attacks.”

John Kirch of Darktrace, a security technology company founded by mathematicians and machine learning specialists from the University of Cambridge, also pointed out these methods: “Typically, outside attackers will obtain and use already authorized access credentials of employees to avoid tripping perimeter alarms. By masquerading and securing recognition as a legitimate user at the point of entry, the network considers the attacker a ‘trusted’ user; resulting in an undetected breach that makes infiltrating and controlling an organization almost effortless.”

What this all leads to is the way we think about security. Our view of the threat must evolve. The idea that we simply build a wall around our data and all is fine no longer works. There are numerous entry points for those who would compromise our data. At the same time, basic steps can still go a long way toward protection. Social engineering remains one of the most effective methods that criminals can use; and this is something we can control.

THE INTERNET OF THINGS
Viruses and other threats have evolved in step with the beneficial aspects of technology. It is the latter that we should not lose sight of when we talk about security, says Microsoft’s Katayama.

“Technology is there to help, empowering every person and every organization in this world to achieve more,” he told The Journal. “Technology helps people. I think we’re really approaching the fourth industrial revolution. The first was the locomotive, the second was the car, the third was the computer—big mainframe computers—but now, if you really think about it, the fourth industrial revolution is that everything is connected to the cloud.”

This connectivity has led to what is known as the Internet of Things (IoT). This rapidly growing network of devices, appliances—and just about anything that can contain electronics—is the next phase in the merging of our lives with technology. Enabled by the cloud, IoT was defined in June 2012 by the Global Standards Initiative on Internet of Things (IoT-GSI) as “a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies.”

But it’s the “existing” part that raises some concern. As more devices—many of which are older and have either extremely weak security or no security at all—are placed online, so the paths through which hackers can access broader networks multiply.

Currently, there are 17.5 billion IoT devices online—including smartphones and tablets—according to research firm IHS Markit. Estimates of what that number will be by 2020 differ greatly, but it’s big. Gartner predicts that there will be 21 billion IoT devices in use worldwide by the time the Tokyo 2020 Olympic and Paralympic Games kick off, while IBM has put its estimate at 1 trillion.

These devices make our lives better, and the benefits are easy to see. So rather than fearing IoT and the cloud, we just need to secure it well. And that means paying attention to areas that may have gone unnoticed in the past.

“Two areas that are particularly overlooked when it comes to protection are mobile Internet and machine-to-machine connections—especially appliances that were previously not connected to the network, such as printers, air-conditioners, and videoconferencing devices,” said Darktrace’s Kirch.

“In fact, Darktrace has found security bypasses stemming even from Facebook, iMessage, and network coffee machines—seemingly innocuous vectors that previously did not require cybersecurity approaches.”

Ken Modeste of global independent safety science company Underwriters Laboratories Inc. (UL) says that, “Today, cybersecurity and connected systems in an IoT world can definitely impact safety, interoperability, and performance; and UL’s goal is to work with organizations to identify the associated risks and develop plans that can support addressing those risks.”

So the tools and expertise are being developed. It is incumbent on the IT departments of companies to make mitigation of these threats part of their comprehensive security strategy.

THE OLYMPICS
That there hasn’t been a major cyberattack disrupting the past few Olympics is somewhat surprising. Or maybe it’s just a sign that security has stayed a step ahead of criminals and terrorists.

In a 2013 interview with BBC Radio 4, part of the program Under Attack—The Threat from Cyberspace, chief information security officer for the London 2012 Olympic and Paralympics Games Oliver Hoare revealed that there had been a realistic threat that the opening ceremony might be disrupted. The threat was not life-threatening; it was that the lights might be turned off during the ceremony. But it highlights the potential remote control over technology that attackers might gain.

Meanwhile, Kaspersky Labs reported on June 13 in IT Threats During the 2016 Olympic Games in Brazil that, in February, “we identified a very interesting targeted campaign, on our domain monitoring system, against the IOC using the malicious domain masquerade as their Intranet portal. The purpose of the attackers was to steal credentials of IOC employees working in Brazil.” The report also highlights cyber threats to those attending the Olympics, including fake tickets, fake giveaways, Wi-Fi security, ATM skimmers, credit card cloning, and USB charging spots.

With four more years for cyber threats to evolve, what must Japan prepare for in the lead-up to the Tokyo Games?

“The biggest threat to the 2020 Olympics could be the disruption of uptime and availability,” according to Kane Lightowler of Carbon Black, a Waltham, Mass.-based endpoint security company. “At a global event such as the Olympics, if communications and Internet access are taken down, it may cause huge problems that will be felt across the globe.”

Admiral Blair of Sasakawa USA told The Journal: “I suppose my fear is that somebody actually gets physically hurt. An attack that takes out the power grid during the opening ceremony might not kill anybody, but the use of hacking techniques to knock security cameras offline or otherwise facilitate a terrorist attack—that sort of mayhem is what I fear most.”

“Terrorist attacks are a possible threat as well,” according to Sentek Global’s Basu. “A standalone cyber terrorist attack would be unlikely to cause great harm unless power were shut off and safety equipment failed as a result. But a cyberattack in combination with a kinetic [physical] terrorist attack is a situation that is becoming more likely all the time.”

HelpSystems’ Tatam acknowledges the kinetic threat, but still sees the remote element as a bigger concern—especially for the Olympics in Tokyo. “The threat of physical terror attacks conducted in populated areas obviously remains high, and any that succeed will continue to be devastatingly impactful on innocent human life. But a cyberwar can be waged just as effectively from thousands of miles away. A cyberattack on an event like the Olympics could take on many different guises, involving transportation, facilities, ticket sales, and even broadcast and surveillance systems.”

tech2

MITIGATION
In January 2015, to prepare for the Games, the Japanese government created a cybersecurity strategy team, while over the next four years the Ministry of Internal Affairs and Communications will train 50,000 people to combat cyber threats.

But effective security and protection of mission-critical infrastructure can’t be done in isolation. Securing electric power distribution systems, for example, includes policies, procedures, technology, and partnerships between various government and private organizations.

As Amandeep Kalra, automation engineer at Schweitzer Engineering Laboratories, explained, “Collaboration between various international information sharing teams, led by countries like the US and Japan, will be critical going forward.” SEL has partnered with utilities and national laboratories across the United States to identify, design, and test new solutions under the US Department of Energy’s Cybersecurity for Energy Delivery Systems (CEDS) program.

“The G7, G8, or a similar group of leading nations must forge ahead with national commitments to one another to exchange more information and share best practices for setting up security stacks, hiring defenders, and training employees,” said Carbon Black’s Lightowler. “We must continue to work together to raise the cybersecurity bar and make cyberattacks much harder and costlier to conduct.”

On the topic of government-to-government collaboration, Blair pointed out: “Both the US and Japan are signatories to the EU Convention on Cybercrime. This shows a real commitment to cross-border cooperation in investigating cybercrime, which is crucial in so many cybercrime cases. My team tells me, though, that even the EU convention procedures can be too slow in this world of digital crime. Recent successes using multinational law enforcement task forces, and other real time collaboration, show that this approach should be part of our bilateral and multilateral cooperation.”

And HelpSystems’ Tatam says cooperation is already working. “Most developed nations are aware of the need for governmental and law enforcement cooperation on a global scale. In recent years, cooperation has led to the arrest, extradition, and imprisonment of those responsible for various breaches. Cybersecurity threats impact citizens of all countries, and the timely sharing of intelligence information is critical.”

NEXT STEPS
So, after taking the lid off Pandora’s box, can we trust the cloud, the Internet of Things, and the informational relationship between company and customer? We must. It is our ingenuity that build the technological infrastructure that makes the world what it is today, and we can’t just unplug the network like Admiral Adama.

As Microsoft’s Katayama explained: “When we talk about cybersecurity, it seems that people always forget about the benefits of technology. We as a cloud company know that this is where the industry 4.0 is going, and the use of technology is there to help people innovate and move forward. Let’s not forget the benefits of IT. But in order to enjoy the benefits, that’s where security comes in.”

So while ingenuity is shared by those who would do harm, the numerous security experts who monitor the threats and develop solutions are keeping us one step ahead. We need to also do our part as businesses and individuals to stay informed and take precautions. Danger is evolving, but so is safety. There’s still a lot of discussion to be had—and more ways in which stakeholders can work together—but we can realize the benefits of technology and find a secure platform that works for all.

Christopher Bryan Jones is Editor-in-chief of The Journal. Originally from Birmingham, Alabama, he has lived in Japan since 1997.
We must continue to work to raise the cybersecurity bar and make cyberattacks much harder and costlier to conduct.